Which Frameworks Do I Need? NIS2, ISO 27001, BSI IT-Grundschutz, TISAX Compared

The Framework Landscape: Why There Is No Single Framework

Anyone dealing with information security for the first time quickly encounters a problem: There is not one framework, but half a dozen relevant ones. NIS2, ISO 27001, BSI IT-Grundschutz, TISAX, BSI C5, DIN SPEC 27076 — each with its own target audience, level of detail, and legal basis. Some are legal obligations, others voluntary certifications, and still others industry-specific requirements that your biggest customer makes a condition.

The result: confusion. Companies implement the wrong framework, underestimate the effort, or — worse — ignore the topic entirely because the choice overwhelms them.

This article brings order to the chaos. You will learn what each framework delivers, who it is designed for, and how to find the right combination for your company. No academic theory — just a practice-oriented decision guide.

The Six Most Important Frameworks at a Glance

NIS2 — The Legal Obligation

The Network and Information Security Directive 2 has been in force EU-wide since October 2024 and was transposed into German national law through the NIS2 Implementation Act. NIS2 is not a framework in the classical sense but a legal obligation with concrete requirements for risk management, incident response, supply chain security, and management liability.

Who is affected? Companies with 50 or more employees or EUR 10 million or more in annual revenue across 18 defined sectors — from energy and transport to healthcare and digital infrastructure to food production and waste management. In Germany, this affects approximately 29,000 companies.

What does NIS2 specifically require? A demonstrable information security management system with risk analysis, incident management (24-hour initial report to the BSI), business continuity, supply chain security, and regular training. Management is personally liable for implementation.

Effort: Medium to high, depending on maturity level. Companies without an existing ISMS should expect 6–12 months of setup time. Ongoing maintenance requires dedicated resources — at least a part-time Information Security Officer.

ISO 27001 — The International Standard

ISO/IEC 27001 is the globally recognised standard for information security management systems. The current 2022 version defines 93 controls in four categories: organisational, people, physical, and technological. ISO 27001 certification is voluntary but is required by many customers and partners as a prerequisite for collaboration.

Who needs this? Essentially any company that wants to build its information security systematically. In practice, ISO 27001 is particularly relevant for IT service providers, software companies, consulting firms, and anyone working with sensitive data. Many B2B procurement processes require certification.

What makes ISO 27001 special? The standard follows the PDCA cycle (Plan-Do-Check-Act) and thus enforces continuous improvement. It is deliberately technology-neutral and industry-independent — making it flexible but also requiring interpretation. This is precisely why it is excellently suited as a hub for cross-mappings to other frameworks.

Effort: High. Initial certification typically takes 9–18 months and requires significant resources for documentation, risk assessment, and internal audits. Annual surveillance audits and recertification every three years keep the effort at a relevant level permanently.

BSI IT-Grundschutz — The German Detail Standard

BSI IT-Grundschutz is the most comprehensive framework on this list. The IT-Grundschutz Compendium from the Federal Office for Information Security contains over 100 modules, each with dozens of requirements — from server room planning to smartphone usage. Unlike ISO 27001, which deliberately remains abstract, IT-Grundschutz prescribes concrete technical and organisational measures.

Who needs this? Federal authorities are obligated to implement IT-Grundschutz. State authorities and municipal institutions are increasingly following suit. For companies processing public sector contracts, IT-Grundschutz certification can be a decisive competitive advantage. Companies seeking particularly detailed implementation guidance also benefit from Grundschutz.

What makes IT-Grundschutz special? The level of detail. While ISO 27001 says "you must control access to systems," IT-Grundschutz describes across multiple pages exactly how this should look for a Windows server, a Linux client, or an Active Directory. This specificity is simultaneously its greatest strength and its biggest hurdle.

Effort: Very high. Modelling according to IT-Grundschutz requires a complete inventory of all IT systems, applications, and rooms. For a mid-market company with a heterogeneous IT landscape, the structural analysis alone can take several months.

TISAX — The Automotive Must-Have

TISAX (Trusted Information Security Assessment Exchange) is the assessment and exchange procedure of the automotive industry, based on the VDA Information Security Assessment (ISA). It was developed so that automotive manufacturers and suppliers can uniformly assess their partners' information security without each OEM conducting its own audits.

Who needs this? Any company that works directly or indirectly for the automotive industry and has access to confidential OEM information. This affects not only Tier 1 suppliers but increasingly Tier 2 and Tier 3, IT service providers in the automotive sector, and engineering partners. If your customer requires a TISAX label, you have no choice.

What makes TISAX special? TISAX distinguishes between different assessment levels (AL 1–3) and differentiates between information security, prototype protection, and data protection. Assessment is conducted by accredited audit providers, and results are shared via the ENX platform — so each company only needs to be assessed once, not separately for each OEM.

Effort: Medium to high, depending on the assessment level. AL 2 (standard case) requires a self-assessment with plausibility check; AL 3 (for high protection needs) requires a full on-site audit. The good news: Anyone who already has an ISO 27001-certified ISMS covers a large portion of TISAX requirements.

BSI C5 — The Cloud Trust Anchor

The Cloud Computing Compliance Criteria Catalogue (C5) from the BSI defines minimum requirements for cloud service security. C5 is primarily aimed at cloud service providers but is increasingly relevant for companies that use cloud services and need to demonstrate to regulators or customers that their providers meet certain security standards.

Who needs this? Cloud service providers that want to serve the German or European public sector need a C5 attestation. For federal authorities, the use of C5-attested cloud services has been mandatory since 2024. But in the private sector, too, more and more customers are asking for C5 attestations, especially in regulated industries such as financial services and healthcare.

What makes C5 special? C5 distinguishes between a Type 1 attestation (appropriateness of controls at a specific date) and a Type 2 attestation (effectiveness of controls over an audit period of at least six months). The audit is conducted by auditing firms according to ISAE 3402 — providing high evidential value but also corresponding costs.

Effort: High to very high. Initial C5 attestation is costly and expensive, typically in the six-figure range. C5 is therefore primarily relevant for established cloud providers, not for SMEs just getting started.

DIN SPEC 27076 — The Entry Point for SMEs

DIN SPEC 27076 is the newcomer on this list and specifically designed for small and medium-sized enterprises. It defines a standardised IT security check that can be completed in a few hours and provides a clear baseline assessment. The result is a scorecard-based report with concrete recommendations for action.

Who needs this? Companies with 1–250 employees that do not yet have an ISMS and are looking for a structured entry point. DIN SPEC 27076 is not a replacement for ISO 27001 or NIS2 compliance, but an excellent first step to determine the current maturity level and prioritise next steps.

What makes it special? The low barrier to entry. The check covers 27 requirements across six topic areas and is designed to be conducted by IT service providers without deep ISMS expertise. Government funding programmes are available for implementing the identified measures.

Effort: Low. The actual check takes 2–4 hours; implementation of recommendations varies by result. This is exactly what makes DIN SPEC 27076 so valuable as an entry point.

Comparison Table: All Frameworks at a Glance

How Frameworks Complement and Overlap Each Other

At first glance, the framework landscape looks like a jumble of competing standards. In reality, most frameworks complement each other and overlap significantly. This is because they all build on the same fundamental principles of information security: risk management, access control, incident response, business continuity, awareness.

The differences lie in the level of detail, the scope, and the type of obligation — not in the fundamental requirements. A company that has cleanly implemented ISO 27001 already meets 60–80% of the requirements of NIS2, TISAX, and BSI IT-Grundschutz. The remaining gaps are framework-specific particulars: the 24-hour reporting deadline in NIS2, prototype protection in TISAX, the technical detail depth in IT-Grundschutz.

This overlap is no coincidence. NIS2 explicitly references ISO 27001 as a suitable basis for implementation. TISAX is based on ISO 27001 and extends it with industry-specific requirements. BSI IT-Grundschutz offers its own certification option with "ISO 27001 based on IT-Grundschutz" that bridges both worlds. BSI C5 also references ISO 27001 controls.

The Dangerous Trap: Framework Silos

What still goes wrong in practice: Companies treat each framework as an independent project. The ISO handles ISO 27001, the legal department handles NIS2, procurement demands TISAX evidence from suppliers, and nobody notices that 70% of the work is identical. Risk analyses are conducted three times, policies maintained in different formats, audits planned separately.

The result: triple the effort, inconsistent documentation, and frustrated employees. The solution lies in a central hub approach.

Cross-Mappings: ISO 27001 as a Strategic Hub

The most efficient strategy for multi-framework compliance is a hub-and-spoke model with ISO 27001 at the centre. The logic: ISO 27001 is the broadest and best-structured standard. Its 93 controls can be systematically mapped via the Statement of Applicability to the requirements of all other frameworks.

A cross-mapping shows you for each ISO 27001 control which requirements in NIS2, TISAX, IT-Grundschutz, and C5 are covered by it. So when you implement Control A.8.9 "Configuration Management," you immediately see that you are simultaneously fulfilling NIS2 Art. 21 para. 2 lit. e, TISAX Control 5.2.6, and several IT-Grundschutz modules.

Why This Is Worth Its Weight in Gold in Practice

Without cross-mapping, the following happens: Your auditor asks about the implementation of NIS2 Art. 21 para. 2 lit. h (cyber hygiene and training). You search your NIS2 documentation, find a training policy, but do not know if it also covers TISAX. So you create a second set of documentation. During the ISO 27001 audit, you discover that you already covered Control A.6.3 (Awareness) — just under a different name and in a different folder.

With cross-mapping, you have a single training policy that references ISO 27001 A.6.3. In the mapping, you immediately see that this control also covers NIS2 Art. 21(2)(h) and TISAX Control 3.1.2. One document, one process, three frameworks served. This is exactly how ISMS Lite works: All frameworks with cross-mappings in one system, so that one implementation record automatically serves all assigned requirements.

The Hub Model in Practice

A pragmatic hub model looks like this:

1. Build the foundation: Implement your ISMS according to ISO 27001. This gives you the structure, the PDCA cycle, and the 93 controls as anchor points.
2. Map mandatory frameworks: Check which additional frameworks are mandatory for you (NIS2? TISAX?). Map their requirements to your existing ISO 27001 controls.
3. Identify gaps: The mapping gaps show you exactly what you need to implement additionally. For NIS2, these are primarily the specific reporting deadlines and management liability. For TISAX, prototype protection.
4. Close gaps: Supplement your ISMS with the missing elements in a targeted way. No parallel structure — integrate into the existing system.
5. Consolidate evidence: One audit programme, one risk management system, one policy library — with references to all relevant frameworks.

Decision Guide: Which Framework for Which Company?

The right framework choice depends on three factors: regulatory obligations, customer requirements, and strategic goals. Here is a practical decision logic:

Step 1: Clarify Obligations

Are you affected by NIS2? Check the sector list and thresholds (50+ employees or EUR 10M+ revenue in one of 18 sectors). If yes, NIS2 compliance is non-negotiable — it is binding law with significant fines and personal management liability.

Are you a federal authority or critical infrastructure operator? Then BSI IT-Grundschutz is your primary framework.

Step 2: Check Customer Requirements

Do your customers or partners require a specific certification? In the automotive world, that is almost always TISAX. In IT services, ISO 27001 is frequently required. Cloud providers for the public sector need a C5 attestation.

Step 3: Set Your Strategy

If neither legal obligation nor customer requirements force a specific framework, you have freedom of choice. And in that case, the recommendation is almost always: ISO 27001 as the strategic foundation. Why?

• Universal recognition: ISO 27001 is understood and accepted worldwide.
• Hub function: All other frameworks can be mapped to it.
• Future-proofing: If your company grows, wins new customers, or expands into regulated markets, ISO 27001 gives you the best starting position.
• Market advantage: An ISO 27001 certification opens doors in procurement and customer conversations.

Practical Recommendations by Industry and Scenario

Mid-Market IT Service Provider (80 employees, B2B)

Recommendation: ISO 27001 + NIS2 You are very likely affected by NIS2 (sector: digital infrastructure or ICT services). Start with ISO 27001 as the foundation and map NIS2 on top. ISO 27001 certification is also your strongest sales argument. The additional NIS2 effort is manageable once the ISO foundation is in place.

Automotive Supplier (200 employees, Tier 2)

Recommendation: ISO 27001 + TISAX + NIS2 TISAX is contractually required; NIS2 likely applies through the "manufacturing" or "digital infrastructure" sector. Build ISO 27001 as the hub, implement TISAX specifics (prototype protection, VDA ISA), and map NIS2 on top. Most of the work only needs to be done once.

Cloud SaaS Provider (120 employees)

Recommendation: ISO 27001 + BSI C5 + NIS2 ISO 27001 as the foundation, C5 as a differentiator in the German market (especially if public sector clients are target customers). NIS2 comes as a legal obligation. The three frameworks have high overlap — with clean cross-mapping, the additional effort for C5 and NIS2 remains manageable.

Trades Business or Small Service Company (25 employees)

Recommendation: DIN SPEC 27076 as an entry point Not yet affected by NIS2, no customer certification requirements. DIN SPEC 27076 gives you an honest baseline assessment and concrete measures to catch up on the basics. If the company grows or regulatory requirements emerge, you can build up to ISO 27001 in a structured way from there. Take advantage of government funding programmes for the check.

Mid-Market Mechanical Engineering Company (150 employees, OEM supplier)

Recommendation: ISO 27001 + NIS2, TISAX in perspective NIS2 applicability through the "manufacturing" sector is likely. ISO 27001 as the foundation gives you structure and credibility with your OEM customers. If individual customers require TISAX, the delta from a clean ISO 27001 implementation is manageable.

Municipal IT Service Provider or Data Centre

Recommendation: BSI IT-Grundschutz + NIS2, optionally C5 For public sector service providers, BSI IT-Grundschutz is the direct path. The level of detail is not a disadvantage here but an advantage: Your clients know and expect exactly this standard. NIS2 applies through critical infrastructure or the "digital infrastructure" sector. If you offer cloud services to government agencies, a C5 attestation is the logical next step.

The Most Common Mistakes in Framework Selection

Mistake 1: Too Much at Once

Companies that try to implement NIS2, ISO 27001, TISAX, and IT-Grundschutz simultaneously and independently almost always fail. The project burden is too high, documentation becomes inconsistent, and employees lose track. Better: Implement one framework as the foundation and map the others onto it step by step.

Mistake 2: Too Little Action

The other extreme: Companies that do only the bare minimum for NIS2 without building a sustainable structure. If you need an ISMS anyway, invest the additional effort for ISO 27001. The structure pays off with every future requirement.

Mistake 3: Choosing a Framework Based on the Cheapest Consultant

Framework choice should be driven by your regulatory obligations and business requirements, not by which consultant is currently available or which framework they know best. A TISAX specialist is the wrong choice if you primarily need NIS2 compliance.

Mistake 4: Treating Frameworks as Checklists

All these frameworks require a management system — meaning a continuous process of planning, implementation, review, and improvement. Anyone who treats information security as a one-time checklist will have a problem at the next audit. And an even bigger problem with the next real threat.

How a Central Tool Makes the Difference

The theory of cross-mappings and hub models sounds compelling. In practice, it often fails at the tooling question: Excel spreadsheets with cross-references quickly become unmanageable, separate documentation for different frameworks drifts apart, and mapping measures to controls from different frameworks becomes a test of patience.

This is exactly where a specialised ISMS tool comes in. The requirements are clear:

• Multi-framework support: All relevant frameworks with their controls in one system.
• Cross-mappings: Automatic mapping between frameworks. When you implement an ISO 27001 control, you immediately see which NIS2 and TISAX requirements are covered.
• Consolidated risk management: One risk analysis that references all frameworks.
• Unified policies: One policy library with references to the respective framework requirements.
• Statement of Applicability: Cross-framework, with implementation status and gap analysis.
• Audit trail: Complete documentation of all changes, relevant for any auditor regardless of framework.

Without such a tool, multi-framework compliance remains a theoretical concept. With the right tool, it becomes manageable — even for companies without a dedicated compliance department.

The Right Sequence: A Pragmatic Roadmap

If you are starting from scratch today and know that multiple frameworks will be relevant, follow this roadmap:

Phase 1 (Months 1–2): Baseline Assessment Conduct a DIN SPEC 27076 analysis or use an internal assessment. Identify your current maturity level and the biggest gaps. In parallel, clarify your NIS2 applicability and collect customer certification requirements.

Phase 2 (Months 2–6): Lay the Foundation Begin building your ISMS according to ISO 27001. Define the scope, conduct the first risk analysis, create the mandatory documents (information security policy, risk treatment plan, Statement of Applicability). From the start, use a tool with cross-mapping capability so you keep NIS2 coverage in view in parallel.

Phase 3 (Months 6–9): Close Gaps Use cross-mappings to identify where NIS2, TISAX, or other frameworks impose additional requirements. Close these gaps in a targeted way: NIS2 reporting processes, TISAX prototype protection, industry-specific measures. Start the internal audit programme.

Phase 4 (Months 9–12): Evidence and Certification Conduct internal audits, prepare the management review, and start the certification process for ISO 27001 and/or TISAX. Document your NIS2 compliance demonstrably.

Ongoing: PDCA Cycle After initial implementation, the actual ISMS operation begins: regular risk analyses, training, incident management, audits, management reviews, continuous improvement. This is not a project with an end date but a permanent process.

Conclusion: Framework Choice Is a Strategic Decision

The question "Which framework do I need?" has no universal answer. But it has a clear decision logic: obligations first, then customer requirements, then strategic goals. And almost always, the most pragmatic path leads through ISO 27001 as the hub, supplemented by the specific requirements of the frameworks that are mandatory or business-critical for your company.

The decisive point is not which framework you choose, but how you implement it. A well-implemented ISMS based on ISO 27001 with clean cross-mappings beats five half-heartedly completed checklists for five different frameworks. And a specialised tool that handles the cross-mappings for you and brings all frameworks together in one system makes the difference between "multi-framework compliance as theory" and "multi-framework compliance as lived practice."

Further Reading

• NIS2 vs. ISO 27001: Differences, Similarities, and How Both Fit Together
• Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
• NIS2 for SMEs: What You Need to Know and What to Do Now
• Creating a Statement of Applicability (SoA): Selecting and Justifying Controls
• Risk Assessment in the ISMS: Methodology, Matrix, and Practical Example

Start with one framework, but think in mappings from the very beginning. Your future self will thank you.